[SM-USERS] Squirrelmail + iptables conflict

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[SM-USERS] Squirrelmail + iptables conflict

J. Chieppa
I'm having an interesting problem with squirrelmail and my basic
iptables firewall (posted at the bottom of the message).  The issue
seems to be limited to the final line of the firewall which tells it
to drop everything not already allowed.  With that line present, even
though I've allowed port 143 I get the error message that states

"Error connecting to IMAP server: nix.domain.com.
110 : Connection timed out"

As soon as I remove that line from the firewall squirrelmail can log
in just fine.

However even with that line present I can log into the Courier Imap
service via either telnet or a standard mail client like Outlook /
Outlook Express.

I'm racking my brain trying to figure this one out.  I want to specify
which services are allowed and block everything else by default and I
can't seem to figure out why squirrelmail can't connect with that line
in place.

I'd appreciate any suggestions anyone can offer.

#!/bin/bash
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 783 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 783 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6900:6910 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 216.229.107.32 --dport 3306 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 783 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 783 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 6900:6910 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j REJECT


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

J. Craig Woods
After becoming spoiled by hardware firewall, i.e. router, I think I
remember something about IPTABLES. The logic in iptables' rules are most
restrictive rules should go first with exception rules going next.
IPTABLES reads and sets from first to last rules. This might be where your
getting stung...

Cheers

--
J. Craig Woods
UNIX/Linux System Engineer
http://www.trismegistus.net/resume.htm
Entropy requires no maintenance.

> I'm having an interesting problem with squirrelmail and my basic
> iptables firewall (posted at the bottom of the message).  The issue
> seems to be limited to the final line of the firewall which tells it
> to drop everything not already allowed.  With that line present, even
> though I've allowed port 143 I get the error message that states
>
> "Error connecting to IMAP server: nix.domain.com.
> 110 : Connection timed out"
>
> As soon as I remove that line from the firewall squirrelmail can log
> in just fine.
>
> However even with that line present I can log into the Courier Imap
> service via either telnet or a standard mail client like Outlook /
> Outlook Express.
>
> I'm racking my brain trying to figure this one out.  I want to specify
> which services are allowed and block everything else by default and I
> can't seem to figure out why squirrelmail can't connect with that line
> in place.
>
> I'd appreciate any suggestions anyone can offer.
>
> #!/bin/bash
> #Change the part after the = to the where you IPTABLES is on your system
> IPTABLES=/sbin/iptables
>
> #flush existing rules
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
> $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
> $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 143 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 783 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 783 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 993 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 6900:6910 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 216.229.107.32 --dport 3306 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 20 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 21 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 25 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 80 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 110 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 110 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 143 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 143 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 443 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 783 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 783 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 993 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 993 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 6900:6910 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -j REJECT
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> --
> squirrelmail-users mailing list
> Posting Guidelines:
> http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives:
> http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
> List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

RE: [SM-USERS] Squirrelmail + iptables conflict

Marc Powell
In reply to this post by J. Chieppa


> -----Original Message-----
> From: [hidden email]
[mailto:squirrelmail-

> [hidden email]] On Behalf Of J. Chieppa
> Sent: Friday, November 04, 2005 8:03 PM
> To: [hidden email]
> Subject: [SM-USERS] Squirrelmail + iptables conflict
>
> I'm having an interesting problem with squirrelmail and my basic
> iptables firewall (posted at the bottom of the message).  The issue
> seems to be limited to the final line of the firewall which tells it
> to drop everything not already allowed.  With that line present, even
> though I've allowed port 143 I get the error message that states
>
> "Error connecting to IMAP server: nix.domain.com.
> 110 : Connection timed out"
>
> As soon as I remove that line from the firewall squirrelmail can log
> in just fine.
>
> However even with that line present I can log into the Courier Imap
> service via either telnet or a standard mail client like Outlook /
> Outlook Express.
>
> I'm racking my brain trying to figure this one out.  I want to specify
> which services are allowed and block everything else by default and I
> can't seem to figure out why squirrelmail can't connect with that line
> in place.

Just a suggestion but instead of just guessing what iptables might be
doing why don't you reject and log? That way you'll know exactly what
it's seeing and can more easily determine why it's dropping the packets.

--
Marc


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

Jon Angliss
In reply to this post by J. Craig Woods
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sat, November 5, 2005 00:31, J. Craig Woods wrote:
> After becoming spoiled by hardware firewall, i.e. router, I think I
> remember something about IPTABLES. The logic in iptables' rules are most
> restrictive rules should go first with exception rules going next.
> IPTABLES reads and sets from first to last rules. This might be where
> your getting stung...

From my understanding it reads them top to bottom as you have put them...
I think you are thinking of policy blocking, i.e. define the policy on
INPUT as reject/drop and then permit what you want in the rules.

- --
Jonathan Angliss
<[hidden email]>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkNtEwUACgkQK4PoFPj9H3M7GwCgoKDeDctvL1gyCx2304BBR66q
Q4kAoOdnrtGXOk1kIuPkluVn7qToiiNV
=MDj4
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

David Koski
On Saturday 05 November 2005 12:16 pm, Jonathan Angliss wrote:
> From my understanding it reads them top to bottom as you have put them...

That is controlled by the "-A" parameter versus the "-I".

David


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

J. Chieppa
In reply to this post by Marc Powell
My understanding of iptables was it read top to bottom and you could either
specify a default policy or the $iptables -A INPUT -j drop at the last line.
To see if it would make any difference I removed the last line and instead
specified a default policy of drop for all incoming packets then left the
rest.  I still get the same error message trying to log into squirrelmail.

Marc Powell mentioned:
>Just a suggestion but instead of just guessing what iptables might be
>doing why don't you reject and log? That way you'll know exactly what
>it's seeing and can more easily determine why it's dropping the packets.

I tried adding a -LOG rule and then testing it.  I then searched the
kern.log messages and syslog files and wasn't able to find anything in the
logs from my ip to the linux box port 143 or 80.  Perhaps you could show me
the syntax you would use for testing.  I may not have used the correct one.

Any other suggestions are greatly appreciated.




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

Jon Angliss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, November 8, 2005 12:19, J. Chieppa wrote:
> My understanding of iptables was it read top to bottom and you could
> either specify a default policy or the $iptables -A INPUT -j drop at the
> last line. To see if it would make any difference I removed the last line
> and instead specified a default policy of drop for all incoming packets
> then left the rest.  I still get the same error message trying to log into
> squirrelmail.

I forgot to ask this, but what IMAP server?  Is it courier by any chance?
What distribution are you using?  Have you tried shorewall for iptables
configuration? Makes life a little easier I've found.

If you /are/ using courier, try finding your imapd file, and checking your
MAXPERIP setting, and bumping it up.  If I remember correctly, the default
is down at 4, and if your iptables policy is causing some kind of "lock",
or delay in closing, on the connection which keeps it open, any further
connection attempts might cause you problems.

- --
Jonathan Angliss
<[hidden email]>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkNxeQ4ACgkQK4PoFPj9H3PXpgCdFsGAmD4EsaK1HRENQjf3MeaC
uzEAnRKoJvI70jDxgxIAQ9W7al0R+/iX
=RZyA
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] Squirrelmail + iptables conflict

J. Chieppa
Jon,

Yes I am running courier, but the problem turned out to be unrelated
to the MAXPERIP setting. I was finally able to see what was happening
via iptables logging to the screen (I couldn't get it to log this
particular drop to a file for some reason) and fixed the issue by
re-writing my firewall including the following line

"$IPTABLES -A INPUT -i lo -j ACCEPT"

Now if I could just easily get iptables to log dropped packets to it's
own file, rather than kern.log/messages/syslog I'd be a happy camper.

-Jesse

On 11/8/05, Jonathan Angliss <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Tue, November 8, 2005 12:19, J. Chieppa wrote:
> > My understanding of iptables was it read top to bottom and you could
> > either specify a default policy or the $iptables -A INPUT -j drop at the
> > last line. To see if it would make any difference I removed the last line
> > and instead specified a default policy of drop for all incoming packets
> > then left the rest.  I still get the same error message trying to log into
> > squirrelmail.
>
> I forgot to ask this, but what IMAP server?  Is it courier by any chance?
> What distribution are you using?  Have you tried shorewall for iptables
> configuration? Makes life a little easier I've found.
>
> If you /are/ using courier, try finding your imapd file, and checking your
> MAXPERIP setting, and bumping it up.  If I remember correctly, the default
> is down at 4, and if your iptables policy is causing some kind of "lock",
> or delay in closing, on the connection which keeps it open, any further
> connection attempts might cause you problems.
>
> - --
> Jonathan Angliss
> <[hidden email]>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iEYEARECAAYFAkNxeQ4ACgkQK4PoFPj9H3PXpgCdFsGAmD4EsaK1HRENQjf3MeaC
> uzEAnRKoJvI70jDxgxIAQ9W7al0R+/iX
> =RZyA
> -----END PGP SIGNATURE-----
>
>


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users